deps: V8: backport 89dc6eab605c

thibaudmichaud · guybedford · commit 521d704dd2a4 · 2026-04-17T09:29:55.000-07:00
Original commit message: [wasm] Add missing type canonicalization for exceptions JS API When we encode a JS value in a wasm exception, canonicalize the type stored in the tag's signature first. Canonicalize it using the tag's original module by storing the instance on the tag object. R=jkummerow@chromium.org Bug: 346197738 Change-Id: I7575fd79c792d98e4a11c00b466700f0ab82d164 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5613375 Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#94335} Refs: v8/v8@89dc6eab605c
diff --git a/common.gypi b/common.gypi
@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.46',
+    'v8_embedder_string': '-node.47',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/wasm/module-instantiate.cc b/deps/v8/src/wasm/module-instantiate.cc
@@ -2655,8 +2655,10 @@ void InstanceBuilder::ProcessExports(
               isolate_);
           uint32_t canonical_sig_index =
               module_->isorecursive_canonical_type_ids[tag.sig_index];
+          Handle<WasmInstanceObject> instance =
+              handle(trusted_instance_data->instance_object(), isolate_);
           wrapper = WasmTagObject::New(isolate_, tag.sig, canonical_sig_index,
-                                       tag_object);
+                                       tag_object, instance);
           tags_wrappers_[exp.index] = wrapper;
         }
         value = wrapper;
diff --git a/deps/v8/src/wasm/wasm-js.cc b/deps/v8/src/wasm/wasm-js.cc
@@ -1852,7 +1852,8 @@ void WebAssemblyTagImpl(const v8::FunctionCallbackInfo<v8::Value>& info) {
       i::wasm::GetWasmEngine()->type_canonicalizer()->AddRecursiveGroup(&sig);
 
   i::Handle<i::JSObject> tag_object =
-      i::WasmTagObject::New(i_isolate, &sig, canonical_type_index, tag);
+      i::WasmTagObject::New(i_isolate, &sig, canonical_type_index, tag,
+                            i_isolate->factory()->undefined_value());
   info.GetReturnValue().Set(Utils::ToLocal(tag_object));
 }
 
@@ -1898,6 +1899,7 @@ uint32_t GetEncodedSize(i::Handle<i::WasmTagObject> tag_object) {
 
 void EncodeExceptionValues(v8::Isolate* isolate,
                            i::Handle<i::PodArray<i::wasm::ValueType>> signature,
+                           i::Handle<i::WasmTagObject> tag_object,
                            const Local<Value>& arg, ErrorThrower* thrower,
                            i::Handle<i::FixedArray> values_out) {
   Local<Context> context = isolate->GetCurrentContext();
@@ -1955,6 +1957,19 @@ void EncodeExceptionValues(v8::Isolate* isolate,
       case i::wasm::kRefNull: {
         const char* error_message;
         i::Handle<i::Object> value_handle = Utils::OpenHandle(*value);
+
+        if (type.has_index()) {
+          // Canonicalize the type using the tag's original module.
+          i::Tagged<i::HeapObject> maybe_instance = tag_object->instance();
+          CHECK(!i::IsUndefined(maybe_instance));
+          auto instance = i::WasmInstanceObject::cast(maybe_instance);
+          const i::wasm::WasmModule* module = instance->module();
+          uint32_t canonical_index =
+              module->isorecursive_canonical_type_ids[type.ref_index()];
+          type = i::wasm::ValueType::RefMaybeNull(canonical_index,
+                                                  type.nullability());
+        }
+
         if (!internal::wasm::JSToWasmObject(i_isolate, value_handle, type,
                                             &error_message)
                  .ToHandle(&value_handle)) {
@@ -2015,7 +2030,8 @@ void WebAssemblyExceptionImpl(const v8::FunctionCallbackInfo<v8::Value>& info) {
                                                   runtime_exception));
   i::Handle<i::PodArray<i::wasm::ValueType>> signature(
       tag_object->serialized_signature(), i_isolate);
-  EncodeExceptionValues(isolate, signature, info[1], &thrower, values);
+  EncodeExceptionValues(isolate, signature, tag_object, info[1], &thrower,
+                        values);
   if (thrower.error()) return;
 
   // Third argument: optional ExceptionOption ({traceStack: <bool>}).
@@ -3231,9 +3247,9 @@ void WasmJs::PrepareForSnapshot(Isolate* isolate) {
     // Note the canonical_type_index is reset in WasmJs::Install s.t.
     // type_canonicalizer bookkeeping remains valid.
     static constexpr uint32_t kInitialCanonicalTypeIndex = 0;
-    Handle<JSObject> js_tag_object =
-        WasmTagObject::New(isolate, &kWasmExceptionTagSignature,
-                           kInitialCanonicalTypeIndex, js_tag);
+    Handle<JSObject> js_tag_object = WasmTagObject::New(
+        isolate, &kWasmExceptionTagSignature, kInitialCanonicalTypeIndex,
+        js_tag, isolate->factory()->undefined_value());
     native_context->set_wasm_js_tag(*js_tag_object);
     JSObject::AddProperty(isolate, webassembly, "JSTag", js_tag_object,
                           ro_attributes);
diff --git a/deps/v8/src/wasm/wasm-objects.cc b/deps/v8/src/wasm/wasm-objects.cc
@@ -1785,7 +1785,8 @@ void WasmArray::SetTaggedElement(uint32_t index, Handle<Object> value,
 Handle<WasmTagObject> WasmTagObject::New(Isolate* isolate,
                                          const wasm::FunctionSig* sig,
                                          uint32_t canonical_type_index,
-                                         Handle<HeapObject> tag) {
+                                         Handle<HeapObject> tag,
+                                         Handle<HeapObject> instance) {
   Handle<JSFunction> tag_cons(isolate->native_context()->wasm_tag_constructor(),
                               isolate);
 
@@ -1806,6 +1807,7 @@ Handle<WasmTagObject> WasmTagObject::New(Isolate* isolate,
   tag_wrapper->set_serialized_signature(*serialized_sig);
   tag_wrapper->set_canonical_type_index(canonical_type_index);
   tag_wrapper->set_tag(*tag);
+  tag_wrapper->set_instance(*instance);
 
   return tag_wrapper;
 }
diff --git a/deps/v8/src/wasm/wasm-objects.h b/deps/v8/src/wasm/wasm-objects.h
@@ -605,7 +605,8 @@ class WasmTagObject
   static Handle<WasmTagObject> New(Isolate* isolate,
                                    const wasm::FunctionSig* sig,
                                    uint32_t canonical_type_index,
-                                   Handle<HeapObject> tag);
+                                   Handle<HeapObject> tag,
+                                   Handle<HeapObject> instance);
 
   TQ_OBJECT_CONSTRUCTORS(WasmTagObject)
 };
diff --git a/deps/v8/src/wasm/wasm-objects.tq b/deps/v8/src/wasm/wasm-objects.tq
@@ -211,6 +211,7 @@ extern class WasmGlobalObject extends JSObject {
 extern class WasmTagObject extends JSObject {
   serialized_signature: PodArrayOfWasmValueType;
   tag: HeapObject;
+  instance: WasmInstanceObject|Undefined;
   canonical_type_index: Smi;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,7 @@ extern class WasmGlobalObject extends JSObject {`
`211`	`211`	`extern class WasmTagObject extends JSObject {`
`212`	`212`	`serialized_signature: PodArrayOfWasmValueType;`
`213`	`213`	`tag: HeapObject;`
	`214`	`+ instance: WasmInstanceObject\|Undefined;`
`214`	`215`	`canonical_type_index: Smi;`
`215`	`216`	`}`
`216`	`217`